Using Threat data in your vulnerability management strategy with MISP

Ensuring a good patch management strategy in any company often poses some big issues, pointing back to coverage vs risk vs cost.

Some companies expect to be 100% patched no matter the critical level of the patch, meaning it can be fixing anything from a button that does not work, to a critical vulnerability that are being abused in the wild.

This blog post will be focusing on patches that are related to vulnerabilities, and how organizations can optimize the cost and minimize the risk, through the usage of the MISP Threat Sharing Platform.

Using CVSS

Common Vulnerability Scoring System (CVSS - https://www.first.org/cvss/v3-1/ ) is one approach that some companies has started to adopt, this is a metric system that scores a vulnerability from 1-10 based on various vectors.

Base Score is the static version of the vulnerability, where the Temporal Score will have to potential to change over time.

A CVSS score of 10 is seen as the most critical and should be patched as soon as possible, as an example CVE-2019-0708 also known as BlueKeep is a vulnerability that has the CVSS score of between 9.8 and 10 depending on what version of CVSS being used

CVSS Metrics for CVE-2019-0708

Now in some cases this is good to ensure that what at first looks as the most critical vulnerabilities are fixed first, however this is based on that you see one vulnerability as one threat.

It does not take into context that there can be 2 or 3 vulnerabilities if chained together poses an even bigger threat. Think of it this way if you do not expose any RDP services to the internet, however important the patch is, it might not be as critical as Wordpress RCE vulnerability (CVE-2019-8943) who has a CVSS Base score of 6.5 who is exposed to the internet.

CVSS Metrics for CVE-2019-8943


So the overall conclusion of using CVSS is that it is good to give a overall metric score to a vulnerability, however it is not optimal for prioritizing vulnerabilities and how your patch strategy should be run, as it does not taking into consideration on both location of the device with the vulnerability and if this is being exploited.


If it is exploitable .. Prioritize in your vulnerability management

Source: Predictive Vulnerability Scoring

The point of prioritizing vulnerabilities was also presented at this years Blackhat in Las Vegas at the talk “Predictive Vulnerability Scoring System” where they covered that you need to choose how to get the biggest threat coverage for the lowest cost (money and time)

What you should do is to look for vulnerabilities where an exploit is being mentioned or is publicly available, and start by prioritizing these.

A simple example would be to extract CVE’s from Metasploit and other open sources.


Extracting CVE’s from Metasploit

The reason for extracting CVE’s from Metasploit is to use these in order to prioritize your patch strategy and this is rather trivial to get and to use.

As an example here is how you could setup a continues feed.

In this example we are using https://github.com/rapid7/metasploit-framework that are the community edition.

cd /opt/
git clone https://github.com/rapid7/metasploit-framework.git

example of a bash script to extract CVE’s from Metasploit

Create a bash script that can be executed every 12 hours, as an example, filtering the CVE’s from the source code and storing into a website.


MISP - Real-time updates from shared threats

The extraction of CVE’s from Metasploit is really good, but by using the MISP Platform the gain is extended even further as you will have the context around a given vulnerability being exploited, based on the sharing capabilities in MISP.

As an example this is informaiton pulled from an article on ZDNET - “Us Cyber Command issues alert about hackers exploiting Outlook vulnerabulities” and converted into a MISP event.

This gives information about both the vulnerability being used and in what context that can help prioritize.

Adding Metasploit into MISP as custom Feed

At the same time taking the information from Metasploit created earlier and converting it into a feed will centralize your threat visibility into what known CVE’s are being mentioned used or seen publicly used.

The Metasploit CVE feed can be pull from https://feeds.ecrimelabs.net/data/metasploit-cve the feed is updated twice a day.

From MISP the Vulnerability/Patch Management team

So we have now collected the data from Metasploit, and combined it with a large data set from our MISP threat sharing #SharingIsCaring, it is now a trivial task to get the correlated information to your Patch or Vulnerability Management team to make use of it.

In MISP you can access this directly from the export function or through the REST API search.

eCrimeLabs customers that are using the Cratos API will have this capability out of the box with the possibilities to get the vulnerability information based on time, e.g. what have been seen the latest week, month or years.


Conclusion

So buttom line: “If there is an exploit mentioned or publicly available, you should prioritize patching this; No matter what CVSS score or Risk level it is marked with”.